Your message dated Sat, 18 Dec 2021 20:57:56 +0000
with message-id
<7c5e58422d4fd1d02cfae36eca731d5d90ba0743.ca...@adam-barratt.org.uk>
and subject line Closing bugs for p-u requests included in 11.2 (part the deux)
has caused the Debian Bug report #1001148,
regarding bullseye-pu: package gerbv/2.7.0-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1001148: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001148
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
gerbv is a utility for viewing Gerber RS-274X files, Excellon drill files,
and CSV files for pick-and-place files. Gerber files are used for
communicating printed circuit board (PCB) designs to PCB manufacturers.
[ Reason ]
The gerbv upstream project was getting in contact via the
pkg-electronic-devel mailing list to inform about a security issue for
gerbv that was found by the Cisco Talos team. That issue got the CVE
number CVE-2021-40391.
https://alioth-lists.debian.net/pipermail/pkg-electronics-devel/2021-November/008221.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40391
This issue was fixed with the release of version 2.7.1, bullseye was
released with version 2.7.0, so this version is taking effect of the
CVE.
Debian testing and unstable are on version 2.8.1 for gerbv while writing.
[ Impact ]
Users of the unpatched gerbv version from the bullseye release might be
affected to get unwanted code exceution and loose data.
[ Tests ]
Currently there are no automated or manuall test available to check the
fixing of this issue.
[ Risks ]
Nearlly to zero, the fix for this is quite non intrusive and relly small
(basically it's just one line of code).
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The whole change to get the CVE is fixed is adding one line of code
within the C-file drill.c, within the function drill_parse_T_code() a
'return -1' is need to solve the issue.
[ Other info ]
Anton Gladky within the LTS team did an upload of version 2.6.1-2+deb9u1
to fix this issue for Debian 9.
https://tracker.debian.org/news/1283553/accepted-gerbv-261-2deb9u1-source-into-oldoldstable/
The debdiff between the old version 2.7.0-2 in bullseyse and prepared
version gerbv_2.7.0-2+deb11u1 is added here as it's not that big.
diff -Nru gerbv-2.7.0/debian/changelog gerbv-2.7.0/debian/changelog
--- gerbv-2.7.0/debian/changelog 2020-06-07 10:01:13.000000000 +0200
+++ gerbv-2.7.0/debian/changelog 2021-12-05 09:14:05.000000000 +0100
@@ -1,3 +1,14 @@
+gerbv (2.7.0-2+deb11u1) bullseye; urgency=medium
+
+ * Build for bullseye
+ * [e983451] Rebuild patch queue from patch-queue branch
+ Added patch:
+ security/Fix-TALOS-2021-1402.patch
+ Fixing CVE-2021-40391
+ * [7d33020] d/gbp.conf: Adjust to branch debian/bullseye
+
+ -- Carsten Schoenert <c.schoen...@t-online.de> Sun, 05 Dec 2021 09:14:05
+0100
+
gerbv (2.7.0-2) unstable; urgency=medium
[ أحمد المحمودي (Ahmed El-Mahmoudy) ]
diff -Nru gerbv-2.7.0/debian/gbp.conf gerbv-2.7.0/debian/gbp.conf
--- gerbv-2.7.0/debian/gbp.conf 2019-02-18 17:55:34.000000000 +0100
+++ gerbv-2.7.0/debian/gbp.conf 2021-12-05 09:14:05.000000000 +0100
@@ -5,7 +5,7 @@
pristine-tar = True
# generate gz compressed orig.tar file
compression = gz
-debian-branch = debian/sid
+debian-branch = debian/bullseye
upstream-branch = upstream
[pq]
@@ -13,7 +13,7 @@
[dch]
id-length = 7
-debian-branch = debian/sid
+debian-branch = debian/bullseye
[import-orig]
# filter out unwanted files/dirs from upstream
diff -Nru gerbv-2.7.0/debian/patches/fixes/gcc10-extern.patch
gerbv-2.7.0/debian/patches/fixes/gcc10-extern.patch
--- gerbv-2.7.0/debian/patches/fixes/gcc10-extern.patch 2020-06-07
10:00:34.000000000 +0200
+++ gerbv-2.7.0/debian/patches/fixes/gcc10-extern.patch 2021-12-05
09:14:05.000000000 +0100
@@ -1,4 +1,5 @@
-From: أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmo...@users.sourceforge.net>
+From: =?utf-8?b?Itij2K3ZhdivINin2YTZhdit2YXZiNiv2YogKEFobWVkIEVsLU1haG1v?=
+ =?utf-8?b?dWR5KSI=?= <aelmahmo...@users.sourceforge.net>
Date: Mon, 25 May 2020 20:05:28 +0200
Subject: use extern for global vars.
diff -Nru gerbv-2.7.0/debian/patches/security/Fix-TALOS-2021-1402.patch
gerbv-2.7.0/debian/patches/security/Fix-TALOS-2021-1402.patch
--- gerbv-2.7.0/debian/patches/security/Fix-TALOS-2021-1402.patch
1970-01-01 01:00:00.000000000 +0100
+++ gerbv-2.7.0/debian/patches/security/Fix-TALOS-2021-1402.patch
2021-12-05 09:14:05.000000000 +0100
@@ -0,0 +1,27 @@
+From: eyal0 <109809+ey...@users.noreply.github.com>
+Date: Tue, 26 Oct 2021 21:39:25 -0600
+Subject: Fix TALOS-2021-1402
+
+See issue #30
+
+This commit fixes CVE-2021-40391. Background information can be found on
+this URL.
+https://talosintelligence.com/vulnerability_reports/TALOS-2021-1402
+
+Forwarded:
https://github.com/gerbv/gerbv/commit/9f83950b772b37b49ee188300e444546e6aab17e
+---
+ src/drill.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/drill.c b/src/drill.c
+index bc90524..414872d 100644
+--- a/src/drill.c
++++ b/src/drill.c
+@@ -1115,6 +1115,7 @@ drill_parse_T_code(gerb_file_t *fd, drill_state_t *state,
+ _("Out of bounds drill number %d "
+ "at line %ld in file \"%s\""),
+ tool_num, file_line, fd->filename);
++ return -1;
+ }
+
+ /* Set the current tool to the correct one */
diff -Nru gerbv-2.7.0/debian/patches/series gerbv-2.7.0/debian/patches/series
--- gerbv-2.7.0/debian/patches/series 2020-06-07 10:00:34.000000000 +0200
+++ gerbv-2.7.0/debian/patches/series 2021-12-05 09:14:05.000000000 +0100
@@ -6,3 +6,4 @@
fixes/man-page-fix-misspelled-excercise-exercise.patch
fixes/Fix-Werror-format-security-problem.patch
fixes/gcc10-extern.patch
+security/Fix-TALOS-2021-1402.patch
I've uploaded gerbv_2.7.0-2+deb11u1 with the target bullseye, please consider
accepting this upload to get into the next point release. Thanks!
Regards
Carsten
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.2
Hi,
Each of the updates referenced by these requests was included in
today's bullseye point release, but my original closure mail failed to
correctly handle 7-digit bug numbers. Fixing that omission now.
Regards,
Adam
--- End Message ---
